Security & Trust
We handle review data, customer information, and merchant integrations for thousands of stores. This page covers what we actually do to keep that data safe.
Last Updated: March 2026
Security at a Glance
| Security Domain | What We Do |
|---|---|
| Encryption in Transit | TLS 1.2+ on all endpoints: API, dashboard, widget delivery |
| Encryption at Rest | AES-256 encryption on all databases (MongoDB Atlas) and file storage (Azure Blob, AWS S3) |
| Authentication | JWT token-based API auth, OAuth 2.0 for platform integrations, bcrypt password hashing |
| Access Control | Role-Based Access Control (RBAC) with Admin, Editor, and Viewer roles per workspace |
| DDoS & WAF Protection | Cloudflare Web Application Firewall with DDoS mitigation across all services |
| Infrastructure | Microsoft Azure App Services with auto-scaling, Docker container isolation |
| CDN & Performance | Cloudflare CDN with 300+ global edge locations for widget delivery |
| Payment Security | No credit card data touches our servers. Billing is handled by Chargebee (PCI DSS Level 1) |
| Email Security | AWS SES with DKIM/SPF domain verification for authenticated email delivery |
| Monitoring | Real-time error tracking (Sentry), Slack alerts, health-check endpoints |
| Data Isolation | Multi-tenant architecture with workspace-level logical data separation |
| CI/CD | GitHub Actions with encrypted secrets vault. No plaintext credentials in pipelines |
Infrastructure Provider Certifications
Our infrastructure runs on cloud providers that hold their own compliance certifications. These cover the physical, network, and platform layers below our application.
| Provider | Role | Certifications |
|---|---|---|
| Microsoft Azure | Hosting, compute, storage, message queuing | SOC 1/2/3, ISO 27001, ISO 27018, GDPR, HIPAA, PCI DSS |
| MongoDB Atlas | Primary database | SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR |
| Cloudflare | CDN, WAF, DDoS protection | SOC 2, ISO 27001, PCI DSS, GDPR |
| AWS (SES/S3) | Email delivery, file storage | SOC 1/2/3, ISO 27001, PCI DSS, GDPR, HIPAA |
| Chargebee | Billing & subscriptions | PCI DSS Level 1, SOC 2, GDPR |
Our Compliance Roadmap
SOC 2 Type II
On RoadmapOur controls map to SOC 2 Trust Service Criteria today. Formal certification is planned and we share our control mapping on request.
ISO 27001
On RoadmapWe follow security management practices aligned with ISO 27001 Annex A. Certification is on our roadmap.
Penetration Testing
PlanningWe are planning to bring in a third-party security firm for a formal penetration test. Results will be shared with enterprise customers on request.
Security Governance
Security responsibilities are embedded into engineering roles at WiserReview, not siloed into a separate department. At 15 people, this means direct accountability and fast decision-making.
| Role | Person | Security Responsibilities |
|---|---|---|
| Security Officer | Security Leadership | Overall ownership of the security program; final decision authority on security matters; policy sign-off; breach notification |
| Engineering Lead | Senior Engineer | Infrastructure security; CI/CD pipeline security; production access controls; Azure, MongoDB Atlas, Cloudflare configuration; code review oversight |
| Development Team | All Developers | Secure coding practices; participating in code reviews; following this policy; reporting security concerns promptly |
| All Employees | Entire Team | Adherence to this policy and all sub-policies; protecting access credentials; reporting suspicious activity; completing security awareness sessions |
Risk Management
WiserReview takes a pragmatic, risk-based approach to information security. The Engineering Lead and Security Officer jointly assess risks and implement controls proportionate to impact.
| Risk Category | Primary Controls |
|---|---|
| Unauthorized data access | JWT auth, RBAC, client-scoped queries, MongoDB Atlas IP whitelisting |
| Data breach or exfiltration | TLS 1.2+ in transit, AES-256 at rest, container isolation, Cloudflare WAF |
| Service disruption or DDoS | Cloudflare L3/L4/L7 DDoS protection, Azure auto-scaling, 99.95% SLA |
| Credential compromise | bcrypt hashing (cost 12), OAuth 2.0, no plaintext credentials, GitHub secrets vault |
| Supply chain or dependency attacks | Docker pinned dependencies, multi-stage builds, Azure Container Registry |
| Insider threat | Least-privilege access, no direct production SSH, audit trails |
Detailed Documentation
Infrastructure Security →
Technical security controls across hosting, network, database, and application layers.
Data Privacy & Protection →
How we collect, process, store, and protect personal data, and our GDPR alignment.
Platform Architecture →
Multi-tenant microservices architecture, high availability, and disaster recovery.
Compliance & Certifications →
SOC 2 / ISO 27001 control mappings and compliance roadmap.
Enterprise Security FAQ →
Pre-answered questions covering access control, encryption, incident response, and more.
Security Training →
Employee security awareness, onboarding checklist, secure coding practices, and training records.
Incident Response →
Incident classification, response team, detection, containment, and breach notification procedures.
Access Control →
Role-based access control, authentication mechanisms, least privilege, and production access controls.
Backup & Recovery →
Backup strategy, recovery objectives (RTO/RPO), disaster recovery scenarios, and monitoring.
Change Management →
Change classification, CI/CD pipeline, rollback procedures, and environment separation.
Security Inquiries
For security inquiries or documentation requests:
Tatvam Cloud Solutions, LLP
[email protected]